Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator
2019-10-17 • Vkremez •
The reverse-engineering post documents a Lazarus Windows x86 loader/backdoor delivered through the fake JMT Trading cryptocurrency application campaign. The signed JMTTrader_Win.msi installer dropped CrashReporter.exe, which executed with the “Maintain” argument and used a renamed ADVObfuscator library called “snowman” to complicate analysis. The malware collected host and process data, performed file and registry operations, encoded victim information, and communicated through multipart HTTP requests. The activity extends AppleJeus-style cryptocurrency targeting with Windows and macOS malware, a fake company website, GitHub releases, and code signing.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 4d6078fc1ea6d3cd65c3ceabf659616… | 2019-10-17 | 2021-02-18 |
| HASH | 07c38ca1e0370421f74c949507fc0d2… | 2019-10-17 | 2021-02-18 |
| HASH | e352d6ea4da596abfdf51f617584611… | 2019-10-17 | 2021-02-18 |
| HASH | 9bf8e8ac82b8f7c3707eb12e77f94cd… | 2019-10-17 | 2021-02-18 |
| URL | https://www.jmttrading.org/ | 2019-10-12 | 2020-01-01 |